[OpenID] Musing on FaceBook, OpenID and the next mountain to climb

Nat Sakimura n-sakimura at nri.co.jp
Thu Jul 31 08:32:07 UTC 2008 

Well, from my perspective, not quite.

I am not talking about automagic legal term negotiation - there need to be
human intervention always, but this aspect is rather important for making
it really useful in ecommerce setting since it gives a kind of  
non-repudiation.

I am not quite sure on what we can do for verifying trust/assurance levels
purely on signal. It got to be larger on the scope, and there are works
that has been done on it, e.g.,  Liberty's assurance framework.
In this respect, I would rather just create a OpenID profile of the  
Liberty's
framework, rather than starting afresh.

Then, reputation is somewhat overlapping topic to the assurance, and is
something that requires separate attention.

=nat

On Thu, 31 Jul 2008 02:05:50 +0900, Peter Williams  
<pwilliams at rapattoni.com> wrote:

> Focus on signals for providing and verifyin trust/assurance levels (just  
> like ssl sends lists acceptable CAs and proposed ciphersuites)
>
> Don't address the "battle of the legal terms" topic (avoid doing as did  
> those who wanted certain legal presumptions or obligations to be  
> established when, for example, a cert from a certain authority bearing a  
> certain exension is handled by the relying party)
>
> What we ideally don't want to focus on is the scenario in which the rp  
> claims to the user, after an openid e-commerce experience: ah but the  
> fine print in the policy presented during rp discovery shows you (via  
> your op) agreed that this transaction would be limited to, for example,  
> final sale rules (no return rights).
>
>
> -----Original Message-----
> From: Johannes Ernst <jernst+openid.net at netmesh.us>
> Sent: Wednesday, July 30, 2008 9:47 AM
> To: Peter Williams <pwilliams at rapattoni.com>
> Cc: OpenID List <general at openid.net>
> Subject: Re: [OpenID] Musing on FaceBook, OpenID and the next mountain  
> to climb
>
>
> So what would that mean in terms of what work to focus on what work to
> leave out?
>
> On 2008/07/30, at 8:23, Peter Williams wrote:
>
>> Every handshake protocol eventually hits the point where scalability
>> and assurance requirements lead design teams to consider capability
>> exchange and negotiation. For example, in ssl one has ciphersuites
>> and trust points, each being negotiated in a suitable phase of the
>> handshake. In the case of ssl, much of the capability negotiation
>> and management is delegated - to the key management protocol that
>> aligns with the ciphersuite (eg kerberos for kerberos ciphersuites).
>> One can venture that ssl adoptability was in part due to reliance on
>> such infrastructures for trustworthiness and assurance: which
>> allowed the designers to avoid reengineering the wheel, probably
>> badly. Negotiation of capabilities exchange  security handshakes
>> requires careful security handshake design, note.
>>
>> Openid might want to take the posture that its goal is to provide
>> the integration points for other system's reputation,
>> trustworthiness, capability negotiations handling. For example, one
>> might opt to let established routing logic handle trustwortiness
>> metrics (since handling of routes of different trustworthiness is an
>> advanced art in the vpn and virtual routing domain fields, these
>> days).
>>
>> Id split from assurance/trustworthiness issues the issue of terms
>> negotiation. In both the edi and early pki era, folks played with
>> using such as cert fields to encode legal terms, and otherwise use
>> reliance procedures to attempt to enact legal agreements and legal
>> obligation passing. Neither wasparticularly succesful, though there
>> is always large amounts of interest generated - given the nature of
>> those problems. Not a lot tends to result, however: reflecting the
>> fact prhaps that some things are just better handled procedurally,
>> rather than by using machine logic.
>>
>> -----Original Message-----
>> From: Nat Sakimura <n-sakimura at nri.co.jp>
>> Sent: Tuesday, July 29, 2008 11:40 PM
>> To: Johannes Ernst <jernst+openid.net at netmesh.us>; OpenID List  
>> <general at openid.net
>> >
>> Subject: Re: [OpenID] Musing on FaceBook, OpenID and the next
>> mountain to climb
>>
>>
>> I'd volunteer, but, for drafting the WG charter,
>> I need more input from the people on this list on
>> what should be in the scope.
>>
>> For me, I was thinking of the below for sometime:
>>
>> 1) Contralct Negotiation Protocol
>>   - Negotiates the terms of the use, and back channel data transfer
>> protocol.
>> 2) Reputation Service Protocol
>>   - Means to obtain the trustworthiness score of an assertion.
>>
>> In terms of Johannes's enumeration:
>>
>>>  - single-sign-on across the web with a simple user experience
>>   => OpenID Authentication 2.0 + some more security features.
>>
>>>  - high-quality identity information available to RPs
>>   => 1) + 2) above.
>>
>>>  - social network information available to RPs
>>   => 1) + 2) above.
>>
>>>  - communication from RP into the social network of the user
>>   => I am still vague on what it will be like.
>>      Could someone post a concrete example usecase, please?
>>
>> =nat
>>
>>
>>
>> On Wed, 30 Jul 2008 13:05:48 +0900, Johannes Ernst
>> <jernst+openid.net at netmesh.us> wrote:
>>
>>> Like others, I've been amazed about what Facebook has put together
>>> with Facebook Connect as announced last week.
>>>
>>> Their proposition for relying parties seems to be:
>>>
>>>  - single-sign-on across the web with a simple user experience
>>>  - high-quality identity information available to RPs
>>>  - social network information available to RPs
>>>  - communication from RP into the social network of the user
>>>
>>> and IMHO, that is indeed a great business proposition for RPs.
>>>
>>> Of course, they seem to be building this with Facebook-specific
>>> protocols, but that's not surprising given that the OpenID technology
>>> stack right now is insufficient to accomplish what they wanted to
>>> accomplish. But not dramatically so -- it might just be plugging some
>>> other technologies into OpenID (like XFN or FOAF etc.) and filling in
>>> some gaps if one wanted to do that.
>>>
>>> So ... methinks we should grow the OpenID stack over the next 6-12
>>> months to be able to do all of this (and more?) with open
>>> technologies. This would also make OpenID much more interesting to
>>> relying parties...
>>>
>>> Open protocols are clearly necessary to grow the entire market, which
>>> would be in the interest of everybody including Facebook.
>>>
>>> Anybody up to getting an OpenID working group started up to work on
>>> this?
>>>
>>> [Feel free to respond on the list or privately.]
>>>
>>>
>>>
>>> Johannes Ernst
>>> NetMesh Inc.
>>>
>>>
>>
>>
>>
>> --
>> =nat
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general



-- 
Opera の革新的メールクライアント: http://jp.opera.com/mail/

More information about the general mailing list